The secret to online safety: Lies, random characters, and a password manager

Or, how to go from "123456" to "XBapfSDS3EJz4r42vDUt."

It's time to ask yourself an uncomfortable question: how many of your passwords are so absurdly weak that they might as well provide no security at all? Those of you using "123456," "abc123," or even just "password" might already know it's time to make some changes. And using pets' names, birth dates, your favorite sports teams, or adding a number or capital letter to a weak password isn't going to be enough.

Don’t worry, we're here to help. We’re going to focus on how to use a password manager, software that can help you go from passwords like "111111" to "6WKBTSkQq8Zn4PtAjmz7" without making you want to pull out all your hair. For good measure, we'll talk about how creating fictitious answers to password reset questions (e.g. mother's maiden name) can make you even more resistant to hacking.

Why you can’t just wing it anymore

A password manager helps you create long, complicated passwords for websites and integrates into your browser, automatically filling in your usernames and passwords. Instead of typing a different password into each site you visit, you only have to remember one master password.

Why bother? The algorithms and tools hackers use to crack passwords are becoming ever more sophisticated and powerful, as we explained last year in "Why passwords have never been weaker—and crackers have never been stronger." Even people with no experience cracking passwords can do so with the tools available today. And as Wired's Mat Honan discovered from personal experience, the interconnectedness of online accounts coupled with insecure password reset mechanisms creates gigantic risk. Once a hacker gets into one of your accounts, all of them may be vulnerable.

Too often people reuse a password across even their most important accounts, or use a base word and add a number or symbol for different sites. A weak password can be exposed by so-called "brute-force cracking," in which computers try all possible passwords until the right one is found. “Dictionary attacks” are more common, however. These use lists of millions or even billions of previously cracked passwords. Even worse, there have been numerous examples of vendors practically gift wrapping password information, storing users' passwords in plain text or suffering security breaches that expose cryptographically hashed password data for millions of people.

Even if your password is exposed only in an obscured, "hashed" form, it's vulnerable to hackers converting it to plain text. This is especially true for weak passwords, although we've seen that even relatively strong passwords can be cracked. If a password you use across many sites is exposed in this way, you could see hackers take access of your e-mail, financial accounts, and social networking profiles.

"Passwords are a terrible system. I mean, passwords are awful," said Jeffrey Goldberg, Chief Defender Against the Dark Arts (yes, that's his real title) at AgileBits. His company makes a password management software called 1Password.

So why does Goldberg spend his career helping users manage passwords? As bad as passwords are, no one has come up with anything good enough to replace them across the whole Internet. Goldberg hoped for some 15 years that client certificates (digital signatures to identify users and Web services) would do the trick, but the technological and implementation barriers proved too great.

Two-factor authentication systems combining passwords with a second verification method (like one-time security codes sent to your cell phone) are improving matters, but while they've been adopted by the likes of Apple, Google, and Microsoft, you won't find them on every site you care about. PayPal's top security chief is working on a plan to "obliterate passwords from the face of the planet," but that won't realistically happen any time soon.

"People have been trying to replace passwords for a long time, and they all run into the same handful of fundamental problems," such as challenges in setting up a network of trusted third parties (similar to certificate authorities) to sign user credentials, Goldberg said. Thus, the need for passwords and for users to practice good password security "isn't going to disappear over the next few years." Password managers make a terrible system less terrible in Goldberg’s view.

We recently gave three hackers a list of 16,000 hashed passcodes, and they cracked nearly 90 percent of them. To stay in the safe zone, we recommended that passwords contain a "minimum of 11 characters, contain upper- and lower-case letters, numbers, and letters, and aren't part of a pattern." Password managers will help you create truly random passwords that go well beyond 11 characters.

1Password is one of numerous password management systems. Others include LastPass and KeePass. Now, password managers aren't perfect—there is no such thing as perfect online security in 2013—and they aren't necessarily right for everyone. But if used properly, they would undoubtedly improve security for a large population of people using weak passwords. There may be dozens of websites that you have to log into; without a password manager or some other system, creating strong passwords for each one and remembering them would be a nightmare.

"The way our brain works, most of us, you won't be able to remember completely unique passwords for each and every site," Per Thorsheim, a security expert who organizes the annual PasswordsCon conference, told Ars. "We need some logic, we need something to make our brains able to remember those passwords."

Thorsheim is a user of LastPass. He notes that password managers often rely on cloud-based systems to sync logins across devices, introducing a small risk that criminals could target a single point of weakness by hacking into your password service. But the benefits of a system that creates ultra-strong, unique passwords for each site you visit outweigh this risk. And this risk is small. Your data is encrypted on your own computer before being sent to cloud servers and your master password is never stored by any cloud service. "I trust their encryption scheme," Thorsheim said of LastPass. "I also trust in what I see from AgileBits and others."

Making a password manager part of your routine

I bought 1Password for myself several years ago to help me strengthen my security, particularly for banking and other financial accounts. So let’s look at how to use a password manager with 1Password as an example. Note that this is not an endorsement of 1Password over other systems, as we'll talk about how different password managers offer different approaches.

1Password comes in two parts, a desktop application and a browser plugin that automatically fills your passwords into Web forms such as your e-mail, Facebook, or bank site. 1Password stores all of your passwords in an encrypted file, which can only be accessed with a master password. The first step is choosing a master password that's ultra-strong and that you're capable of remembering. Tips on how to choose a master password are coming (on page 3) but for now, let's look at how 1Password and other password managers integrate into your workflow.

Each time you use 1Password, you'll type in your master password to get started:

Within the application, you'll see the list of sites for which you have saved username and password information. You'll also notice categories like "secure notes" and "wallet," the latter of which is a good place to store credit card information.

If you double-click a site name in that list (underneath where it says "144 items by Title") the website will open in your default browser, and your username and password data will be automatically entered.

Pressing the "Edit" button or double clicking on the right hand side of the 1Password application will bring you into an individual site's entry. Here you can edit username and password data or create a stronger password.

Next to the password field will be a button labeled "Generate." Clicking this will bring you into 1Password's random password generator:

The generator lets you adjust the rules for creating passwords. You can specify lengths from 1 to 50 characters and specify how many digits or symbols should go into the password. It's a good idea to make your passwords as long as possible, although some sites may limit you to 16 characters or some other amount.

You can even choose "pronounceable" passwords, which will give you something like "eck-vor-ev-ig-vin-jo."

The password creator offers no option for "random numbers of digits and symbols," so if you want each password to have different configurations you'd have to change the amount of digits and symbols each time. Goldberg explained that this small concession was made so that 1Password's browser plugin can more easily create passwords to fit the requirements of various sites (e.g. "password must contain at least two symbols and one number").

"The short answer is yes, we lose something here in strength, but when you do the math on realistic examples it turns out to be a small loss," Goldberg said. "The gain is that it is more likely for a generated password to meet the site's requirements on the first shot. Of course, as the kinds of requirements we see in sites changes over time, we might find that we can modify the Strong Password Generator to ditch the 'exactly N digits' business altogether."

(Goldberg discussed some of the more technical decisions AgileBits has made with 1Password in an Ars forum thread last year.)

The above screenshots are from a Mac computer. The Windows version of 1Password looks a bit different, but it operates in a similar manner:

Now, the desktop application isn't the most convenient place to generate and retrieve passwords. That's why 1Password and other password managers come with browser extensions that automatically detect sites in which you might want to save existing passwords or generate new ones.

From the desktop application, click "preferences" and then "browsers" to install the extension in your browser of choice. If you click the extension within the browser, you'll get an interface that’s like a stripped-down version of the desktop one:

Like the desktop application, the extension provides a list of websites for which you have accounts:

And a password generator:

When you navigate to a site for which you have a saved login, clicking the browser extension will provide the option of filling the login fields. You can also take this opportunity to generate a stronger password for that site if you haven't already. If you navigate to a site for which you don't have password data saved, 1Password will (most of the time) offer to save it or help generate a new password.

The desktop application does allow you to copy passwords to your computer's clipboard and then manually paste them into a website form (using Control-V on Windows or Command-V on Mac.) By default, the password only remains in the clipboard a short period of time, such as 90 seconds. However, 1Password officials say it's more secure to let the browser extension fill in the data automatically to protect yourself from keylogging malware that reads keystrokes or text from the clipboard. You must always type your master password—do not store it in a file and copy and paste it—but 1Password uses a "secure input mode" to protect your master password from keyloggers by preventing applications from observing your typing. In the event your 1Password data file is stolen, AgileBits uses PBKDF2 technology to increase the amount of time it takes to run automated password guessing programs, making them impractical.

"Given how known keyloggers work, 1Password protects against them," Goldberg said. "This is all a bit of an arms race between password managers and keyloggers. Even though the good guys are ahead today, this is a game that is stacked against us in the long run. I think that the only reason that we remain in the lead is that the keylogger writers are content to keep their keyloggers simple at the cost (to them) of not getting the passwords from people who use well designed password managers."

Whether you use a password manager or not, the existence of keyloggers that can read passwords as you type them is just one more reason to practice good desktop security, using antivirus software and keeping your PC up to date with all the latest security fixes.

281 Reader Comments

Your actual encryption key is derived from your password (hashed) combined with your account e-mail (hashed) and then hashed again. There's also a secret key that accompanies every single person's account that is held only on the LastPass servers. That key is also added to the hashed encryption key.

Point is, your encryption key is a combination of many variable, on top of one you don't even know, and it's hashed like 2-4 times.

Hm, I didn't know about the LastPass held key, it doesn't seem to be mentioned elsewhere. That would seem to contradict paras. 3-4 here https://helpdesk.lastpass.com/security- ... ns-pbkdf2/ which states its all done client-side (implying even the encryption key creation)

Erm, a bit more than 2-4 I'd say, but I'm not really denying the security of LastPass, just a point of differentiation.

I love the idea of password managers, however until they work out solution for locked down work environments where you can't install stuff on the computer, or mobile devices without administrator privileges, until then it really limits the usefulness if you cant access your passwords from work.

Not a smartass or snarky question - what is it with Ars' refusal to ever acknowledge Keypass in these kinds of articles? It's open source, free as in beer, there are ports for every OS worth mentioning, and some of us aren't keen on having our password locker plugged in to a web browser.

No conspiracy theories, just genuinely curious. The only apps I ever see any real discussion about are LastPass and 1Password.

It's in the article, though I had to reread it to catch it. I think it's the lack of convenience/built in functionality w/browsers. You can integrated with, say, Firefox extensions, but as I say above, I like it granular and stand alone. Less vectors of attack. A bit of convenience traded for a bit more security. I was disappointed in its lack of coverage, esp considering KP is also utterly free, cross platform and open source.

You don't even need browser integration, the auto-type feature functions with a key-combo press and will work with any window, browser or not (on windows).

It even has a "obfuscated auto-type" feature that will randomly break up your login credentials and type a portion of it and copy/paste another portion -- all designed to try fool keyloggers.

the auto-type feature is one of its best features, It figures out what entry to use based on the title of the window you are trying to use it on (and of course it supports wildcards). Also it has a field reference feature so you can have different login credential entries all point to a single entry (for example:hotmail and windows live id, and xbox live account)

Keepass also has a built in database synchronization feature that allows multiple users to share the same password database. It sync's individual entries so that multiple people can add/create/delete entries simultaneously (as long as the changes arn't conflicting) to a central password database. The built in sync feature provides a more robust database-over-dropbox sync, as it allows you to snyc a local copy to the dropbox copy to guard against possible dropbox data corruption.

I love the idea of password managers, however until they work out solution for locked down work environments where you can't install stuff on the computer, or mobile devices without administrator privileges, until then it really limits the usefulness if you cant access your passwords from work.

If an IT admin is denying you the installation of a free-plugin for *any* browser to make your accounts more secure, that's a sign to leave that company.

In many cases I've found websites themselves to be the worst offenders when it comes to security. A bank that doesn't allow anything except letters and digits is asking for brute force attacks. When the security questions have to be chosen from a short drop down list of questions that could all be answered via a Facebook profile it's essential to develop creative yet memorable ways of lying.

Something that I didn't see in the article is deciding where strong security is needed and where it's not only a waste of effort, but an increased risk.

When it comes to online forums like this one at Ars I use a weak password and always will.1. If someone gets my password the most they could do is impersonate me in an online forum where nobody knows me or really cares what I have to say.2. I use a pseudonym and never fill in personal details if I can avoid it. If I must enter something I use fictional data.3. Sooner or later all the hashed passwords for TypePad or Discus or Livefyre will be dumped and I don't want any of my good passwords to appear in that list. In fact I don't want anything that even appears to be a good password to appear in that list. I not only exposed a pretty good password when LinkedIn was hacked, but I exposed the methodology used to generate that password. I can never generate a memorable password that way again.

I haven't committed to any of the commercial password managers yet. For years I used an obscure Mac app that, because it was PPC native, is no longer able to run on most modern hardware. I have since turned to a combination of my own failing memory, Keychain Access and KeePassX. My most important passwords are in the KeePass database. It's protected against all non-violent attack vectors by layers of encryption and obfuscation that culminate in needing a key file that only exists on two USB flash drives. It's an absolute pain in the ass for me to look up my own passwords so I'm thinking of switching to something more user friendly.

Your actual encryption key is derived from your password (hashed) combined with your account e-mail (hashed) and then hashed again. There's also a secret key that accompanies every single person's account that is held only on the LastPass servers. That key is also added to the hashed encryption key.

Point is, your encryption key is a combination of many variable, on top of one you don't even know, and it's hashed like 2-4 times.

Hm, I didn't know about the LastPass held key, it doesn't seem to be mentioned elsewhere. That would seem to contradict paras. 3-4 here https://helpdesk.lastpass.com/security- ... ns-pbkdf2/ which states its all done client-side (implying even the encryption key creation)

Erm, a bit more than 2-4 I'd say, but I'm not really denying the security of LastPass, just a point of differentiation.

I didn't know about the secret key either until I saw the video that Steve Gibson did on LastPass. Just do a search for it on Youtube. It's like an hour long, but it's really worth watching. It's incredible just how much effort LastPass has done for password security.

Edit: I was just speaking about the encryption key that they use, not how many iterations they use for password hashing. Two different things.

I didn't know about the secret key either until I saw the video that Steve Gibson did on LastPass. Just do a search for it on Youtube. It's like an hour long, but it's really worth watching. It's incredible just how much effort LastPass has done for password security.

To be honest I wouldn't take on trust anything Steve Gibson says in a video. What's his soruce?

I'm not saying he's wrong and I've nothing against him personally but his confidence in himself often seems to outstrip his actual knoweldge and understanding (or maybe he just doesn't explain things very well sometimes).

You don't even have to write your password down on a piece of paper. You can do something like picking your favorite ebook, grabbing the ISBN number, let's say the ISBN is 6 5 9 7 8 9 8 9, you have the following letters in the alphabet:

A=1B=2C=3D=4E=5F=6G=7H=8I=9J=0

Write down F E I G H I H I for the ISBN, then write down a page number, figure out how you're going to pick words, I'd use some random math, I.E. Pick your starting word, skip 9 words to get to your next word, skip 2 words to get to the next, write down that sequence, 9-2-7-12-3-4-5.

You now have a passphrase that you can pronounce (which helps with memorization) and your password reminder is encrypted. Varying your ciphers would make it even stronger.

I didn't know about the secret key either until I saw the video that Steve Gibson did on LastPass. Just do a search for it on Youtube. It's like an hour long, but it's really worth watching. It's incredible just how much effort LastPass has done for password security.

To be honest I wouldn't take on trust anything Steve Gibson says in a video. What's his soruce?

I'm not saying he's wrong and I've nothing against him personally but his confidence in himself often seems to outstrip his actual knoweldge and understanding (or maybe he just doesn't explain things very well sometimes).

His source is that the creators of LastPass took him on a tour and told/showed him how it works.

The passphrase is a good start (and one I have mentioned before), but it is a start. The next step is to feed that into a SHA512 hash or similar, so you have 64 bytes of 'random' *binary* data.Of course, most sites don't want to take anything quite that long or binary data for a password field.

<wax philosophical/retorical>So why exactly do so many sites have an (low) upper limit on password length?</wax philosophical/retorical>

I love the idea of password managers, however until they work out solution for locked down work environments where you can't install stuff on the computer, or mobile devices without administrator privileges, until then it really limits the usefulness if you cant access your passwords from work.

I've been surprised at the weak requirements a lot of banking websites enforce. I've used several online banks over the years and some of them very popular and widespread, but yet they only allow 8 characters, and no special characters.So in essence are forcing weak passwords. The only thing that I can come up with to explain why some banks don't allow special characters and longer passwords is the potential for XSS. But I figured that could be over come by verifying input before transmitting data.

I've always assumed this has more to do with the costs of customer service / tech support, "resolving" forgotten (or worse, misremembered) passwords, the Cap-Lock key, etc.

Then there's the cost differential between online banking versus telephone versus in-person, and the banks' consequent eagerness to encourage online dealings, and not create any friction to users migrating in that direction.

And call me a cynic, but I suspect that as long as the banks administer their data centres competently, they can generally write off most losses that they can't shuffle off on to the customers or their insurance.

One thing I've just started doing (because I didn't know about it) is using GMail's ability to add random stuff to your email address (e.g. if my email is example@gmail.com, my Ars email might be example+ars@gmail.com) and still receive it. I don't know that it really helps security, but it does help me figure out where mail is coming from, and it can't hurt.

Wut? Really? That's cool.

(runs off to try it.)

I wouldn't rely on it for security but I have found it useful to be able to tell where someone got my email from.

Yea, like I said, pretty much exactly what I use it for.

And, I dunno, if I get some weird charges from newegg and the address is boskone+bank@gmail.com (no, I don't actually have boskone@gmail.com; some other jerkass got it), then I know who to point at as the PII leak.

It works Nephilim2038 but many sites wont let you use it as it is 'not a valid email address'. Many only let you use either a period or an underscore.

I thought I'd use that to whitelist my emails and reject any that are obviously not from the signed up site. Obviously the site would be also rejected. After attempting many sites I just gave up and used my email.

It is now coming back to bite me; I'm getting spam for the first time in gmail inbox after (when did they first send out invites? Heck! 2004.) 8 years.* A year ago I was boasting I never even noticed spam in the spam folder.

Any suggestions what to do now that I've made the mistake wrt usernames and email addresses? I would rather not abandon this account.

* I know, it is 9 years since it began; I wasn't an early bird. More like the second wave or something.

FWIW, I think you can also add random dots into your email address. E.g. example@gmail.com, e.xample, exa.mple, etc are all the same email to gmail. Dunno about underscores.

[edit]So, I guess, sign up with a really long name and you have at least that many "slots" for the dot. I wonder if johnjacobjingleheimerschmidt is taken...

maybe someone's already posted this, but writing your master password down on a piece of paper would be a pain in the hole if it implies you're unable to memorise it; I probably type my password in 10-20 times a day.

If the limit is 8-12 characters, you better assume it's the latter and run away, if it's around 20 - it's probably the idiotic former, more or less safe but reflects on "security experts" working there.

This is more a vent than a comment, but I have grown to hate "security questions."

A banking site recently required me to update my account by adding a bunch of these. The first one gave me five choices of questions, and I didn't know the answers to any of them. Something like:1) What is your maternal grandfather's middle name? [Damned if I know. He died over 30 years ago when I was a child.]2) What is your oldest sibling's middle name? [I am an only child.]3) Where were you on New Year's Eve, 1999? [Drinking somewhere, presumably, but I have no idea where at this point.]4) What is your maternal grandmother's middle name? [See 1. What the hell is with all the middle names?]5) What was the first state you visited, other than your home state? [Ask my parents; they took me lots of places before I could remember anything.]

I noted the following horrible security question prompts from a bank a few months ago. Sadly, far too many are like this:- "What is your favorite television show?" (because I'll never like something new)- "What is the first name of your youngest child?" (because I'll never have another child)

Security strength aside, I don't know why the manual-password-reset guys don't freak out about idiotic questions like this, given the number of times they must talk to people who are answering the questions correctly, but not consistently.

My bank goes one step further to inconvenience and confuse its online clients -- even though log-in passwords are not case sensitive, the friggin "security question" answers are case sensitive.

1. Make up a sentence. Let's take this for example, "I wish I could go to <insert website name here, in this case "Ars"> tomorrow!"

2. Which translates to IwIcgtArst!

3. Throw in some digits and maybe another symbol so it looks something like this: 43IwIcgtArst!76@

4. Rinse and repeat swapping out each sites name into the password. You essentially create a random password just by using the first letter and punctuation of the sentence you create (and adding in some numbers and extra symbols if you so choose)

The sentence I use is a bit more complex than this example - my passwords are 16 characters before I even add the site name in the mix.

1. Make up a sentence. Let's take this for example, "I wish I could go to <insert website name here, in this case "Ars"> tomorrow!"

2. Which translates to IwIcgtArst!

3. Throw in some digits and maybe another symbol so it looks something like this: 43IwIcgtArst!76@

4. Rinse and repeat swapping out each sites name into the password. You essentially create a random password just by using the first letter and punctuation of the sentence you create (and adding in some numbers and extra symbols if you so choose)

The sentence I use is a bit more complex than this example - my passwords are 16 characters before I even add the site name in the mix.

And like hell it's easier to remember than ldIc5\Rd5Q]T7Z5=. Was it !76@ or @67! or 66!@, and which one letter did I capitalize?..

You essentially create pseudorandom password but as hard to remember as a real random one and might do better with just the original sentence.

I find myself going the strong password and good security practices route every now and then, only to give up in defeat and choosing the path of least resistance.

Complex passwords are great, until you have to enter them on a mobile device, or if you desperately have to log in to something when you don't have your mobile phone with you (not often, but it does happen in places where camera phones, or even phones in general are prohibited), or it's out of battery (now this happens a lot). The situation gets even more complex when 2FA comes into play.

Now you're stuck, and you try to reset your password, and realize that answers to all your secret questions were also a bunch of randomly generated strings (also, this is pretty fun when trying to phone support and getting asked questions to verify your identity).

Then you go fuck it all, and when you're back, change it all back to the path of least resistance.

I don't think it's that users are against choosing good security, but preferring to choose a balance between security and usability.

I think your experience is common--security is generally at odds with usability. I think 2FA actually makes the situation better by allowing you to use your normal memorable passwords while still being secure. Among two-factor solutions, I think Toopher is the most usable--Toopher uses your smartphone's location to automate authentication attempts made from known good locations. Simple, secure, and usable. The future is going to be a wonderful place

This is more a vent than a comment, but I have grown to hate "security questions."

A banking site recently required me to update my account by adding a bunch of these. The first one gave me five choices of questions, and I didn't know the answers to any of them. Something like:1) What is your maternal grandfather's middle name? [Damned if I know. He died over 30 years ago when I was a child.]2) What is your oldest sibling's middle name? [I am an only child.]3) Where were you on New Year's Eve, 1999? [Drinking somewhere, presumably, but I have no idea where at this point.]4) What is your maternal grandmother's middle name? [See 1. What the hell is with all the middle names?]5) What was the first state you visited, other than your home state? [Ask my parents; they took me lots of places before I could remember anything.]

So I picked one at random, and made up a ridiculous answer.

That will show them.

Don't get me started on the retarded idea of security questions. It's got to the point where I now use standard answers no matter the question essentially turning them into another password prompt. And to be frank, that's just as secure if not more so as such an approach is immune to social vector phishing.

I'd love to know what the 3 password hackers from the previous article, Anatomy of a hack: How crackers ransack passwords like "qeadzcwrsfxv1331" think of Password Managers like the ones mentioned in this article.

I'd love to know what the 3 password hackers from the previous article, Anatomy of a hack: How crackers ransack passwords like "qeadzcwrsfxv1331" think of Password Managers like the ones mentioned in this article.

One thing I don't see really covered here is team functionality. Are there password managers (or in general good strategies) for sharing passwords with others on your team? There are plenty of resources where I may want to share out a password to a co-worker (e.g. 3rd party resource like departmental Vimeo account) and so make a password database file for a certain project or level of clearance. How do people keep these passwords in sync across team members?

Preemptively - of course I try to minimize the number of shared passwords by creating accounts for new team members when I control the resource. But one doesn't always have that degree of control.

I noted the following horrible security question prompts from a bank a few months ago. Sadly, far too many are like this:- "What is your favorite television show?" (because I'll never like something new)- "What is the first name of your youngest child?" (because I'll never have another child)

Security strength aside, I don't know why the manual-password-reset guys don't freak out about idiotic questions like this, given the number of times they must talk to people who are answering the questions correctly, but not consistently.

My bank goes one step further to inconvenience and confuse its online clients -- even though log-in passwords are not case sensitive, the friggin "security question" answers are case sensitive.

Nothing will ever beat Fidelity though. They limit you to, i think, twelve characters. Special symbols are NOT allowed at all. Just alpha numeric characters.

But wait! That's just the beginning. Internally they convert your twelve character password into numbers based on a touch tone phone pad. So if your password started with the following six characters: abcABC, internally your password is stored as 111111. And, of course, if your password were to change to AbcCaB, internally it would still be stored as 111111.

So: no special characters, no differentiation between upper and lower case characters, twenty six unique characters compressed (invisibly behind your back) into ten unique characters. The total password space is limited to one trillion unique passwords (assuming you use all twelve places allotted to you).

I have actually tested this. I translated my password into digits based on a phone pad and was able to log in with this bullshit password without any problems.

I have no idea how they store these passwords, but if they are using a weak hashing algorithm then the entire password table can be cracked in less than two minutes on a normal password cracking system. And given how stupid their password system is, I have no reason to believe they actually know enough to not use a weak system. I suspect this is a legacy from when all their customers only used the phone to manage their money, but they need to get with the program here.

Sent them a note about this as i moved my money to a different institution. But they don't care.

I'd love to know what the 3 password hackers from the previous article, Anatomy of a hack: How crackers ransack passwords like "qeadzcwrsfxv1331" think of Password Managers like the ones mentioned in this article.

Would they be stopped by LastPass or 1Password?

One of them, Jeremi Gosney, is a LastPass customer.

Yar, I use LastPass. But I also endorse 1Password from a security standpoint, as Jeff Goldberg works closely with the password cracking community. Jens Steube also recently switched from KeePass to 1Password, if I recall correctly.

Just to add to the comments on Linux compatibility, LastPass works well for me on Firefox, Chrome, Chromium, and Opera 12 (presto).

KeePassX is a very solid local password manager if you prefer to avoid the cloud. As someone else mentioned, they are working on a complete rewrite which will allow use of the version 2 database format used by the more common windows version of KeePass.

One tool that I haven't seen anyone mentioning is hardware based password managers, or at least password managers that use hardware encryption on an external device.

I second this.

Quote:

I personally use the IronKey, which I find is a very good solution. Among other benefits it's tamper evident and tamper resistent. It uses extremly effective encryption at the hardware level, and makes it very difficult to copy the resident data so that a hacker can attempt to decrypt it at a later date on his own time without risks.

It comes with a number of privacy features, many of which are outside the scope of the article, but it also includes a password safe and generator.

Can you use this locally with open source software ? From the website, it looks like it requires proprietary software and a managment server somewhere.

You only need a management server for the enterprise editions. There is a personal edition that does not require this. There is built in proprietary software handling the hardware encryption. You have to use their software because it is a hardware solution. Once you unlock the partition and gain access to the data you can use your own software or the software they provide.

Well it's obvious that the strongest part of your password should be the password itself since it is the one thing you actually do have control over. I see site after site that has completely fucked up systems that limit passwords to 12 chars or even worse 6 - 8 They should be setting their minimums far over their maximums I mean FFS the power behind decrypting passwords is at an all time high and will only continue to rise. Many sites keep the same shitty encryption and let the users think they're safe when that is not even close to the truth.

Companies keep too much user data too close which is a horrible practice if they get hacked and millions of passwords are dumped. It's only a matter of time till the list is completely destroyed and by that I mean days or even hours before the majority are decrypted.

Honestly when it comes to password and the actual user all of their information should be encrypted then sent to a local network storage database one way access only. It's not like we're actually having to reset our passwords every single day, then again I could be wrong. Emails should be excluded from actually being a username as well.

The best information a database dump should contain is a list of encrypted usernames and encrypted passwords. No personal data should ever be at risk because it doesn't have to be. That data could still be pulled up if needed locally by tech support which may be some extra work "heaven forbid" but that extra effort by the company may stop massive amounts of identity theft if they ever have a bad day. "most do at one point or another" If that does happen all they have to do is force a mandatory password reset which prevents the hackers from actually getting on someones account to see anything stored. So even when the list is cracked they gain nothing of true value other than a username/dead password.

I love the idea of password managers, however until they work out solution for locked down work environments where you can't install stuff on the computer, or mobile devices without administrator privileges, until then it really limits the usefulness if you cant access your passwords from work.

If an IT admin is denying you the installation of a free-plugin for *any* browser to make your accounts more secure, that's a sign to leave that company.

That depends. You're assuming that Joe User knows more about this than the IT admin... It may be true in some cases, but certainly not all cases. If you're the IT admin, how do you make sure that Joe User is knowledgeable enough to only install valid browser extensions, and he won't get tricked into installing malware when he installs the free "Passwerd Keyperz" plugin he downloaded from some sketchy corner of the internet?

I don't mind that an IT department is having oversight and auto-disabling installation of whatever plugin or whatever executable. That makes sense to me. My company has a similar policy. They want to keep their network safe; I get it.

I do mind if they're not willing to do the research, or execute the installation for you upon request, as I consider that part of their jobs. Any Google-query of 'LastPass,' or '1Password,' will hint at their legitimacy. I expect IT admins / staff to do that much due diligence.

Another issue: You constantly have to unlock the password program, and you tend to want to keep *that* password short. But as I've learned from Ars, you really should be making that password uncrackable. Some of the programs accept spaces in passwords, which makes it easier, but if I'm entering it 20 times a day I don't want it that long.

If i´ve understood correctly this can be helped by increasing the number of "key transformation rounds". This adds a constant time to bruteforce and dictionary attacks making them less effective.In my keepass database file this is set to create a notisable (but not long enough to annoy me) "lag" from the time i enter the correct masterkey to when the database opens. I believe this "lag" would be in between each bruteforce quess. So making millions of quesses with 0,1 second time between each becomes a harder task.

So the master password can be made somewhat easier (within limits) and still strong (enough).

I don't mind that an IT department is having oversight and auto-disabling installation of whatever plugin or whatever executable. That makes sense to me. My company has a similar policy. They want to keep their network safe; I get it.

I do mind if they're not willing to do the research, or execute the installation for you upon request, as I consider that part of their jobs. Any Google-query of 'LastPass,' or '1Password,' will hint at their legitimacy. I expect IT admins / staff to do that much due diligence.

Agreed. Honestly, I was overjoyed when our IT team authorized KeePass for corporate computers, as I'd been using it for years already.

This is more a vent than a comment, but I have grown to hate "security questions."

A banking site recently required me to update my account by adding a bunch of these. The first one gave me five choices of questions, and I didn't know the answers to any of them. Something like:1) What is your maternal grandfather's middle name? [Damned if I know. He died over 30 years ago when I was a child.]2) What is your oldest sibling's middle name? [I am an only child.]3) Where were you on New Year's Eve, 1999? [Drinking somewhere, presumably, but I have no idea where at this point.]4) What is your maternal grandmother's middle name? [See 1. What the hell is with all the middle names?]5) What was the first state you visited, other than your home state? [Ask my parents; they took me lots of places before I could remember anything.]

No conspiracy theories, just genuinely curious. The only apps I ever see any real discussion about are LastPass and 1Password.

It's in the article, though I had to reread it to catch it. I think it's the lack of convenience/built in functionality w/browsers. You can integrated with, say, Firefox extensions, but as I say above, I like it granular and stand alone. Less vectors of attack. A bit of convenience traded for a bit more security. I was disappointed in its lack of coverage, esp considering KP is also utterly free, cross platform and open source.

You don't even need browser integration, the auto-type feature functions with a key-combo press and will work with any window, browser or not (on windows).

Yes, you and I know this. People who don't use KP heavily, and really look into its features, won't. In KP, double click on the link of the site I want to authenticate into (which I make the login page), focus shifts to my browser opening said page, click on the user name field, ctrl+alt+A, done. Discounting the website's load time, that's literally a 1 second transaction, 2 sec. if you turn on obfuscation. Or tweak your auto fill if, say, you don't need a user name, like when I mount a TrueCrypt partition and all I need is [password]+[enter]. Yeah, lots of very cool features in KP that I think most of its users will know about.

But for people espousing LastPass, etc, I *think* it's the lack of integration that keeps many of them on the LP/1P bandwagon, which is what I was referring to above. It probably saves like half a step from KP usage, or you don't have to set up or tweak things like auto fill settings in the first place. Having said that, I'm sure they're all fine products and plenty of security pros use/endorse LP/1P, so really, it's all good as long as you use *something*.